Secure Web Pages with Cold Fusion

There are perhaps some pages that you should have restrict access to. This tutorial gives you the basic idea how to secure WEB pages with ColdFusion. In this example we use the applaication.cfm file to check the value of the variable IsLoggedIn. Every file that is in the same directory, as your application.cfm file will check this variable. If the variable IsLoggedIn is not holding a value, the user will be presented with the login form. If the variable is holding a value, the user has already logged in previously during the current session. The tutorial also explains how to restrict access to different pages for users with different access privileges.

Creating the database:

The table you need to add to the database needs to have a Primary Key of type "Auto Number". Below is the table for this tutorial.

ID	AutoNumber
User_Name	Text
User_Password	Text
User_Access_Level	Text
User_First_Name	Text
User_Last_Name	Text

After you have created the table add some users to your database. Give some of them access level "Administrator" and set others as "Member". In your ColdFusion Admin (server admin), create your Data Source. Remember to type in the name you give the Data Source Name in the "application.cfm" file (your_DSN).

 application.cfm

<!--- All variables set here (in application.cfm) can be accessed by all pages that use this application.cfm file. ---> <!--- ********************************************************* ---> <!--- Your data-source name ---> <cfset request.main_DSN = "your_DSN"> <!--- Name your application and enable session variables. ---> <!--- Set the session timeout period using 'CreateTimespan(days,hours,minutes,secounds)'. ---> <CFAPPLICATION NAME="Login" SESSIONMANAGEMENT="YES" SESSIONTIMEOUT=#CreateTimespan(0,0,30,0)#> <!--- Check if user is logged in, if NOT force user to login. ---> <cfif NOT IsDefined("SESSION.Auth.IsLoggedIn")> <!--- Include the login form template. ---> <cfinclude template="login.cfm"> <cfabort> </cfif>

index.cfm

<!--- Open the login form (login.cfm). ---> <cflocation url="login.cfm">

login.cfm

<!--- Check if login form is filled out, by testing if variable form.user_name is defined. If yes find the user and log in, if not display the login form. ---> <cfif IsDefined("Form.user_name")> <!--- Open the database and find the entered username and password. ---> <cfquery name="find_user" datasource="#request.main_DSN#"> SELECT * FROM LoginAdmin WHERE User_Name = '#Form.user_name#' AND User_Password = '#Form.user_password#' </cfquery> <!--- If RecordCount is 0, no user is found, give an error message and open the login form. Else if user is found, login the user. ---> <CFIF #find_user.RecordCount# IS 0> Invalid Username or Password. <cfelse> <!--- Get user info, first name, last name and access level. ---> <cfset SESSION.Auth = StructNew()> <cfset SESSION.Auth.IsLoggedIn = "Yes"> <cfset SESSION.Auth.user_first_name = find_user.User_First_Name> <cfset SESSION.Auth.user_last_name = find_user.User_Last_Name> <cfset SESSION.Auth.user_access_level = find_user.User_Access_Level> <!--- Everything is ok. Send the user to menu template. ---> <cflocation url="menu.cfm"> </cfif> </cfif> <!--- Place the cursor in the 'User Name' field when the page loads and start the login form. ---> <body onLoad="document.login.user_name.focus();"> <!--- The action attribute CGI.SCRIPT_NAME always holds the relative URL to the currently executing template. So when the user click on 'Login' the same template reloads. ---> <cfform name = "login" action = "#CGI.SCRIPT_NAME#" method = "post"> Please log in: <br> <!--- Field for "User Name". ---> <!--- The attribute required is set to yes. So if the field is empty, the text in the massage attribute will be displayed. ---> User Name: <cfinput name="user_name" type="text" size="25" maxlength="25" required="yes" message="Please enter 'User Name'."> <br> <!--- Field for "Password". ---> Password: <cfinput name="user_password" type="password" size="25" maxlength="25" required="yes" message="Please enter 'Password'."> <br> <input type="submit" value="Login"> </cfform> </body>

menu.cfm

<b>Menu.</b> <br> Welcome: <br> <!--- Display the users first name. ---> First Name: <cfoutput>#SESSION.Auth.user_first_name#</cfoutput> <br> <!--- Display the users last name. ---> Last Name: <cfoutput>#SESSION.Auth.user_last_name#</cfoutput> <br> <!--- Display the users access level. ---> Access level: <cfoutput>#SESSION.Auth.user_access_level#</cfoutput> <br> <!--- Link to Administrator page. Only users with admin privileges can view this page. ---> <a href="admin_page.cfm">Administrator page</a> <br> <!--- Link to Members page. Both users with admin and members privileges can view this page. ---> <a href="members_page.cfm">Members page</a>

admin_page.cfm

<b>Administrator Page.</b> <br> <!--- Check users access privileges. ---> <cfif SESSION.Auth.user_access_level IS "Administrator"> <!--- Enter code for Admin here. ---> This is only for users with Admin privileges. <br> <cfelse> <!--- Error message if user not have Admin privileges. ---> Sorry. Only users with admin privileges can access this page. <br> </cfif> <a href="menu.cfm">Back to menu</a>

members_page.cfm

<!--- Both admin and members can access this page, so there is no need for any user check. ---> <b>Members Page.</b> <br> This is the member's page. Both users with Admin and Members privileges can view this page. <br> <a href="menu.cfm">Back to menu</a>

ColdFusion Tutorial test

Secure Web Pages with Cold Fusion

No test is available or implemented for this ColdFusion Tutorial.

User Comments: 13

 I finally figured it out

Fran u made minor mistake


First Create the act_logout.cfm file Then paste the following in there


<cfparam name="URL.status" default="logged_out">
<cfparam name="URL.goto" default="">

<!--- Expire the cookie to log out, and redirect back to home page. --->
<cfcookie name="agent_last_hit" value="0" expires="now">

<!--- Can't do a cflocation and still get the cookie to set, so use JS here to redirect --->
<cfoutput>
     <InvalidTag>
          <cfif URL.goto is "home">
               window.location.href="/index.cfm";
          <cfelse>
               window.location.href="index.cfm?status=#URL.status#";
          </cfif>
          </script>
</cfoutput>

Now in any page you can just put this small code

You can attach the action to a graphic or text link as follows:
<a href="act_logout.cfm?goto=home"><img src="/images/whatever.jpg" width="583" height="84" border=0 alt="Log Out and Return to Main Site"></a>

OR

     <a href="act_logout.cfm?goto=home" style="color:white; font:12px Arial,Helvetica,Sans-serif;">Log Out</a>

Note: If you look carefully, the home is linked to ur login URL

That's it

 To Webmaster

I sent the codes to you but have not heard from you. Did you get it?

 RE: Don't let me hanging like this

Hi Brian

Send me a copy of your code.

webmaster@applayit.com

Type 'Brian need help 5673' ? in the Subject.

Use "Donate" I'll look into your code asap.


Regards
Webmaster

 SOMEONE PLEASE HELP ME

Can someone please help me? Dont let me hanging like this. Please

 Log Out

  Clear your session variables.  You will see the code for that entered below by
Jordan.  That should do it.

 Weird..

I included the code: <a href="act_logout.cfm?goto=home">Logout</a> in the MAIN MENU page

and made a new page named act_logout.cfm

When I clicked on the Logout Link it takes me to

www.mypage/act_logout.cfm?goto=home

Message I received:

window.location.href="index.cfm?status=logged_out";

when I clicked the back button I still can see the mainmenu page. Should it know that I have already logged out? I mus thave done something wrong here. Can someone help?

 Here is the logout

You can attach the action to a graphic or text link as follows:
<td><a href="act_logout.cfm?goto=home"><img src="/images/whatever.jpg" width="583" height="84" border=0
               alt="Log Out and Return to Main Site"></a></td>
     </tr>
        <tr>
          <td align="right">
     <a href="act_logout.cfm?goto=home" style="color:white; font:12px Arial,Helvetica,Sans-serif;">Log Out</a></td>
     </tr>
In this case "home" is the site home page.

  Here  is the action page (act_logout.cfm)

<cfparam name="URL.status" default="logged_out">
<cfparam name="URL.goto" default="">

<!--- Expire the cookie to log out, and redirect back to home page. --->
<cfcookie name="agent_last_hit" value="0" expires="now">

<!--- Can't do a cflocation and still get the cookie to set, so use JS here to redirect --->
<cfoutput>
     <InvalidTag language="javascript">
          <cfif URL.goto is "home">
               window.location.href="/index.cfm";
          <cfelse>
               window.location.href="index.cfm?status=#URL.status#";
          </cfif>
          </script>
</cfoutput>

  I believe that you can now do a cflocation and set cookies in 7.0 so you can use that if you want in place of the JS script.  Or if you are not concerned with setting cookies just use CFlocation in place of the JS script.  Pretty easy Enjoy

 Logout Session

Hello, I read what you wrote on the bottom but I have no idea what is going on, can someone explain to me a little bit more? I'm a newbie.

 Session clear for Log out

  I kept getting an error including this on the login file so I moved it to its own file and set up an simple link to it from the menu page.

    You can put the link anywhere.  It works very well.  In addition the script is missing a closing </cfif> tag.

 HERES YOUR SESSION CLEAR, This will work on any login or anything that uses a variable!

<cfparam name="action" default="">
<cfif (IsDefined("Action") and Action IS "logout" and IsDefined("session.loggedin"))>
     <!--- Actual logging out --->
     <cflock timeout="30" name="Clear_session" type="exclusive">
          <cfset StructClear(session)>
     </cflock>
<cflocation template="www.cybercompros.com>

You need to put that in the page that contains your actual login script.  Except you would create a button that has your url (location) to your login script page and have it put a url param that action=logout example.  www.jordonbedwell.com/loginscript.cfm&action=logout

 Logout for this script?

Does anyone know how to create a logout page especially for the above script?

It would be greatly appreciated!

Many thanks...

Neil

 What you were looking for about adding quest

Use this its from the example! :O)

<b>Your page name.</b>
<br>
<!--- Check users access privileges. --->
<cfif SESSION.Auth.user_access_level IS "your_access_group name">
   <!--- Enter code for Admin here. --->
   Page Content
   <br>
   <cfelse>
   <!--- Error message if user not have Admin privileges. --->
   Sorry. Only users with admin privileges can access this page.
   <br>
</cfif>
<a href="menu.cfm">Back to menu</a>


Now look at the line that has <cfif SESSION.Auth.user_access_level IS "your_access_group name"> thats where you put your new access group.

 How to give access to a new group, called 'quest'?

I have implemented this code in my application. And everything works perfect ;-)

I have also created a new user group called 'quests' in my database.
The problem is how can I set up the access right for this group. I only want admin and quest to access some pages.

Hope someone can give me a hint how to do this.

Chris

Add your comments

	Your Name*:
	Your Email:
	Site URL:
	Site Name:
	Comemt Title*:
	Your Comment*:
	Key Phrase*:		rY6
	Your IP Address:	38.103.63.62